One week after launching a security bug bounty program, the new file-storage and sharing service Mega claims to have fixed seven vulnerabilities, none of which met its highest severity classification.

Since Mega was launched three weeks ago, security researchers pinpointed several security issues with the service, ranging from simple cross-site scripting flaws to alleged weaknesses in its cryptographic model.

Mega's creators dismissed some of the issues as theoretical and asked for practical exploits. To support such efforts, a week ago they launched a vulnerability reward program similar to those run by companies such as Google, Facebook, Mozilla and PayPal, as well as two crypto cracking challenges to prove that their cryptographic implementation is solid.

The company promised rewards of up to ¬10,000 for responsibly reported vulnerabilities that meet the program's qualification requirements. In a new blog post published Saturday, the company said that reported vulnerabilities will be ranked according to severity, with "class I" being the least severe and "class VI" being the most severe.

So far, seven vulnerabilities have been reported and fixed, according to the blog post.

Of those, the most severe vulnerability was an "invalid application of CBC-MAC as a secure hash to integrity-check active content loaded from the distributed static content cluster." This vulnerability was rated class IV, which is assigned to "cryptographic design flaws that can be exploited only after compromising server infrastructure (live or post-mortem)."

However, this flaw's description matches that of a vulnerability publicly disclosed by a hacker group called fail0verflow on Jan. 23, over a week before Mega set up its vulnerability reward program. At the time the group reported that Mega was using CBC-MAC -- a message authentication code (MAC) algorithm -- with a fixed key to verify the integrity of JavaScript content served from its secondary servers. The group noted at the time that CBC-MAC was unsuitable for this purpose.

In addition to this vulnerability, Mega's creators claim that three cross-site scripting (XSS) vulnerabilities with a class III severity rating were addressed. Class III flaws are described as vulnerabilities that can be generally exploited to achieve remote code execution inside client browsers (cross-site scripting).

Mega did not publish the names of the researchers who discovered these flaws -- a somewhat unusual practice when compared to other bug bounty programs -- or how much money it paid for each one.

Based on discussions on Twitter, it seems that one of these three XSS vulnerabilities was reported by a security researcher named Frans Rosen. Rosen posted a screen shot of what appears to be his email communication with Mega, suggesting that he received a reward of ¬1,000 for his report.

A fourth XSS vulnerability was also addressed but this was rated as class II because it required the compromise of one of Mega's API (application programming interface) servers or a SSL/DNS man-in-the-middle attack to be successfully exploited.

Two low severity -- class I -- issues have also been fixed, the Mega creators said. They involved the failure to use HTTP Strict Transport Security (HSTS) and X-Frame-Options HTTP headers.

HSTS is a Web security policy mechanism that allows websites to force browsers to communicate over HTTPS (HTTP Secure) and reject the connection if it's redirected over plain, unencrypted, HTTP. The X-Frame-Options header can be used to specify whether a Web page can be loaded inside an iframe on another page and is used to protect against a type of attack known as clickjacking.

Both of these issues have been fixed and, in addition, mega.co.nz and *.api.mega.co.nz will be HSTS-preloaded in Chrome, the Mega creators said.

No class V or class VI vulnerabilities have been reported so far. Class V corresponds to vulnerabilities that could result in remote code execution or access control violations on Mega's main servers and class VI is reserved for fundamental flaws in the service's cryptographic implementation.

The two cryptographic cracking challenges that Mega launched last week have not yet been solved, prompting Mega's creators to boast: "please check back in a few billion billion years."

"Whatever you think of Mega, its founder, its raison d'etre, its bombasticity and even the value of the bounties its offering, it nevertheless reflects to the company's credit that it came out with the bounties at all," said Paul Ducklin, the head of technology for the Asia-Pacific region at Sophos antivirus, Monday in a blog post.

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited. Copyright 2013 IDG Communications.
ABN 14 001 592 650. All rights reserved.

Contact Us

With over 25 years of brand awareness and credibility, Good Gear Guide (formerly PC World Australia), consistently delivers editorial excellence through award-winning content and trusted product reviews.